For cybercriminals, the search for new ways to infiltrate critical networks, systems, and databases is constant. They often focus on the weakest link of supply chains consisting of customers, service providers, product producers and third-party vendors. Breaching just one part of the ecosystem to gain access to credentials can then open the door for criminal activity in other environments across the supply chain.
This makes it vital to continuously assess the security postures of all organizations within a supply chain. Setting policies and controls as a one-time event—and letting them ride for an extended time—will not do a company or any of its customers and vendors any good; in fact, if threats are not accurately mapped to the current business environment and tied to the current threat landscape, the business could be compromised, resulting in a devastating, unrecoverable event.
New regulations and standards also constantly emerge, and existing compliance frameworks, models, and laws are becoming increasingly stringent in their requirements as well as their enforcement. Just because an organization’s security posture complies with a set of requirements today does not mean it will comply tomorrow. And just because auditors haven’t uncovered fine-worthy compliance gaps yet doesn’t mean they won’t at some point.
Both of these factors can serve as catalysts as organizations seek to address increasing regulation requirements and enforcement. The factors can also play a key role as organizations administer compliance certifications to continuously elevate the quality of their risk-management programs, the requirements, and the entire risk-management process. Ongoing optimization of quality is a crucial and fundamental process. Only then can certification organizations guarantee quality is upheld consistently by all security assessors and the organizations across supply chain ecosystems that rely upon them.
6 Key Attributes to Ensure Quality in Security Compliance Certifications
Businesses and organizations assessing their security posture as well as the security postures of their customers and third-party vendors rely heavily on security certification organizations. Only then can they continuously drive quality into their risk management and compliance programs. To meet this need, certification organizations need to leverage a quality assurance model driven by six key attributes:
1. Transparency—the framework for specifying and certifying security controls should be publicly available so everyone can understand which security controls are measured and how they are measured. The controls as well as the implementation, assessment, and reporting methodologies must be regularly vetted by external organizations and industry experts in an open and transparent development and update process.
2. Accuracy—the certification process must ensure accuracy in the reporting of the security controls implemented by a business or organization. Assessors can note, for example, the extent to which control policies and procedures are documented, whether each control has been implemented, and if each control is being measured and monitored.
3. Consistency—consistency in evaluating security control and assessment reporting can be assured—regardless of the specific assessor—by requiring all assessors to be trained and certified by the certifying organization. The assessment training should include guidance for each security maturity level and each control. In addition, the certification organization should audit all third-party assessments to verify their accuracy.
4. Scalability—the security framework controls identified by the certification organization must scale to address the needs of entire industries, based on the size and type of organizations, and the information systems being protected. The security controls should also be tailorable to fit unique threat and risk environments.
5. Efficiency—the certification program should address multiple compliance and best-practice requirements while supporting the consistent reporting of controls—tailored and mapped to each compliance requirement. This allows for coherent reporting options across multiple standards, regulations and frameworks—from a single assessment. In turn, organizations can therefore assess their security posture once and provide the resulting report to multiple customers and vendors. In this regard, the assessment process reduces the inefficiencies and costs associated with conducting multiple security assessments requested by customers and vendors.
6. Reliability—security certification programs must provide a high degree of assurance for relying parties such as internal stakeholders (auditors, management, Board of Directors) and external stakeholders (customers, business partners, vendors and regulators). The certification program should also rely on assessments conducted by independent assessors, which are then reviewed by the certifying organization. This two-step validation process ensures the reliability and overall quality of security control assessments across major standards, regulations, and other frameworks.
Organizations that administer IT security and compliance assessments and aspire to build all of these attributes into their certification programs must also continuously evaluate areas of security that organizations can improve upon. By using a methodology to review certification outcomes and incorporate feedback throughout the process—including framework control guidance, assurance requirements, assessor requirements, and training requirements—certification organizations can quickly update any and all pieces of the process.
Streamlined Compliance Creates More Time for Customers
The effort by IT security certification organizations to increase the quality of their risk management and compliance programs must continuously evolve. Certifying bodies should champion programs that help businesses and organizations safeguard sensitive information and manage information risk throughout their supply chain ecosystems. But this cannot occur at the expense of business development, innovation, and customer satisfaction.
Furthermore, as security certification organizations develop, maintain, and provide access to their risk and compliance management frameworks, related assessments, and assurance methodologies, it’s also important to collaborate with leaders from the public and private sectors who oversee privacy, information security, and risk management. Ultimately, this will help all organizations—globally, across all industries, and businesses of all sizes—to protect their digital assets as well as the digital assets of their customers and vendors.
With an efficient and effective means to achieve this desired posture—mapped to standards and regulations—organizations will spend less time chasing compliance and focus more time on helping customers, driving their business, and achieving their mission.
About the Author: Dr. Bryan Cline provides thought leadership on risk management and compliance and develops the methodologies used in various components of the HITRUST Approach. This includes a focus on the design of the HITRUST CSF and the assessment and certification models used in the HITRUST CSF Assurance Programs, for which he provides technical direction and oversight. Cline is also responsible for addressing emerging trends that impact risk management and compliance in order to ensure the HITRUST Approach sets the bar for organizations seeking the most comprehensive privacy and security frameworks available. Cline previously served as the HITRUST Vice President of Standards and Analysis.